People Suck at Spotting Phishing 317
JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.
So... idiots get taken for their money? (Score:3, Insightful)
Re:So... idiots get taken for their money? (Score:5, Insightful)
Re:So... idiots get taken for their money? (Score:3, Informative)
Re:So... idiots get taken for their money? (Score:3, Informative)
Use SpamGourmet, url in my url field above.
With spamgourmet, you can create a new valid email on the fly in the format of:
newAccountName.X.myUserID@spamgourmet.com
At any time, newAccountName can be used. So travelocity can be use, or travel. or t, or tv, or whatever.
X is the number of mails you want to receive to that email. You can increase or decrease X if need be. 5 is usually sufficient for an online purchase.
myUserID is, well my userID that I use to lo
And the rest of us get bombarded (Score:3, Insightful)
You might be smart enough not to lose your shirt to a con artist, but if a new one knocks on your door every five minutes, you're going to be pretty damn annoyed.
Re:Most Phishing Is Simple To Stop (Score:2)
Re:Most Phishing Is Simple To Stop (Score:5, Interesting)
It's pretty easy to tell the phish from the non-phish, as I don't bank or shop at most of the places the phishers send my way. Also, should I receive an e-mail from my bank (which they already said they wouldn't send me--believing that snail mail is more secure and less likely to be abused), and I feel the need to get there to deal with whatever the message may be saying, I'm surely not going to click a link. Heck, I probably wouldn't even visit the bank during the same session for fear of some kind of redirect spyware that they tried to sneak into the session.
Looking at the URL and seeing "ebay.somewhere.ch" instead of "ebay.com" isn't secure enough anyway, as it's trivial to spoof the status bar with the hover-over text.
The only way to avoid being phished is to not trust any e-mail that has anything to do with anything related to money, savings, charge cards, or deals that are too good to be true--they are too good to be true. A good runner-up is to find a black-hole mail service (i.e., get your own domain name) and set up an account for each vendor you deal with, with a less-than-likely phishable address (e.g. nvrSp4mMy-ebay@mydomain.us). Then, never give your "real" e-mail address to any site you don't explicitly trust. Or even use the same black-hole method for sites you do trust--like slashdot@mydomain.us), instead opting for a black hole [liamon.com] e-mail address; this also helps identify who compromised your identity.
While some software is sometimes better at recognizing these things than others (I seldom get phish-mail at my GMail account, as they're recognized and flagged by the other users first), we still can't rely on an automated method to stop these things. It is on the individual to be responsible with their own information.
"I am not who I seem to be," is the safest way to present yourself to the generally anonymous Internet. That's the way they're presenting themselves.
Re:Most Phishing Is Simple To Stop (Score:3, Interesting)
In the general, low-tech phishing scheme, though, you've just received an e-mail that looks like its legitimately from an organization with
This really shouldn't be a surprise (Score:2, Insightful)
It's the same group that replies to spam messages asking to be removed, purchase from spammers and leaves their PC's connected 24/7 without spending anytime to patch it.
So long as these people exist, nothing should be a surprise as to the effectiveness of phi
Re:This really shouldn't be a surprise (Score:5, Insightful)
Re:This really shouldn't be a surprise (Score:5, Interesting)
That might be a little harsh. We're seeing increasingly sophisticated phishing stuff -- right down to building a look-alike site of the bank which they are pretending to be.
I think it's getting increasingly difficult for even people who know what they're looking for to spot.
Yes, people need to learn the basics of how to spot and avoid spam and phishing. But, the increasing sophistication of the bad guys makes it a difficult thing to always identify.
Cheers
Re:This really shouldn't be a surprise (Score:2)
Many times, they let the bank serve the images for them. Saves the bandwidth on their stolen or owned box, and looks more legit.
A universal precaution I tell people.
1) don't use HTML email. This was a mistake from day one. Text is fine. HTML belongs on the web.
2) Never, ever, ever, click on an url in a mail, even if its text.
If your bank is saying that your accou
Re:This really shouldn't be a surprise (Score:4, Funny)
To really be safe, I always call the FDIC before each online transaction to make sure the "bank" I've been dealing with for years even exists.
Re:This really shouldn't be a surprise (Score:3, Insightful)
There is absolutely nothing sophisticated about phishing. It is rudimentary at best, and 100% avoidable.
1) If you get business-looking email from someone you don't have an existing business relationship with, it's not legitimate.
2) If you get email with a link to a site you have a business relation with, then type in the URL from the
Re:This really shouldn't be a surprise (Score:3, Insightful)
I don't think its people abandoning their common sense as you say.
I think that if someone forged a letter which appeared to be from the actual bank you deal with, sent it to you in what appears to be their stationary and envelopes, and used a large amount of legitimate information to indicate that a new department needs to contact you and gave you
Re:This really shouldn't be a surprise (Score:5, Insightful)
I don't see how you could possibly think that the results of such a website could be meaningful. Spam filtering is a contextual process. This site cripples the critical component that allows humans to behave differently from naive filters, i.e. judgement based on memory. The claim being made here is that humans can't identify other people's spam (and this makes sense, how can you tell if you're shown a random email whether it's unsolicited or not? the only way you can is by knowing whether the recipient had been signed up for a mailing list or not!). You should NOT conclude, based on that fact, that humans are bad at identifying their own spam.
Re:This really shouldn't be a surprise (Score:3, Informative)
There used to be a test; back before connecting to the Internet was a matter of plugging the cable from your cablemodem into the back of your computer and clicking 'OK' on all the prompts, you actually had to have enough technical savvy to be able to set u
if it's done well, and some are (Score:5, Insightful)
I've seen more sophisticated phishing examples by far, and some are indistinguishable from what might be the real thing. The distinguishing factor from a genuine missive is the best phishes have links to bogus addresses (sometimes denoted with only an IP address), and the destination site asks for information company's won't ask for from an e-mail.
One of the best phishes I've seen was sent to me -- it was ostensibly from my phone company, and it described a problem with my on-line bill pay (I don't). The letter was nicely formatted with the colors and icons of my phone company. The link was a giveaway, when I rolled over it, I could see the IP address, not a phone company web-site.
I researched this a bit more, went to my phone company's web site, and downloaded their graphics. A bit-for-bit comparison of their icons, etc., and the phishers showed them to be identical. (Interestingly, this puts phishers also in the position of being guilty of more crime: copyright violations.)
Had my suspicions not been raised by the fact I wasn't participating in on-line bill pay and the phish indicated that problem, and had I not seen the IP address by rolling over the link (which I only did because of above suspicion), I easily could have been convinced I was dealing with a real e-mail (NOTE: this was two years ago, before phishing had become real big, and it was my first incident.)
I can easily believe many, if not most could fall for well crafted phishing expeditions. I would agree with the cited article, those are weak examples unlikely to catch savvy users (though they still could catch the naive, of which there are millions!). (And, I would claim some of the examples really are nothing more than SPAM.)
Re:if it's done well, and some are (Score:5, Insightful)
I agree with you. Some are sophisticated, but the link is ALWAYS a give away. It is either some kind of redirect, an IP address, or a Bogus URL altogether.
Then again, how many people that use AOL know what an IP address is? 10 ... 20%?
Fine, they obviously do work.
But, this is what I don't understand ...
How do these people avoid getting busted? They have IP addresses that point directly to the fake server. Finding out who owns the servers and where it is should be fairly elementary.
I mean, Sony/BMG can track down the exact studio apartment in Chicago of someone who downloaded "Ooops, I Did It Again", but we have people conducting massive financial and wire fraud with blatantly displayed IP addresses, and we can't just go an snatch them by the by the head and give them a solid flogging?
Okay, so many are in another countries. But how many countries DON'T have laws against this?
Post a threat against the President, and the Secret Service would be at your door with K-Y and rubber gloves in 3 minutes and 21 seconds. Attempt global financial fraud, broadcast your IP, and everything is cool?
How do these people NOT get busted, and busted hard?
I don't get it.
Re:if it's done well, and some are (Score:5, Informative)
Because the person who owns the server is almost always some home user who plugged their Windows box directly into the internet. In the same way as compromised boxes are used to send spam, perform DDoS attacks, etc they are also used to run web servers for phishers.
How do these people NOT get busted, and busted hard?
As much as I like the idea of throwing people in jail who have too little clue to secure their machines, I'm afraid I don't think it'll do a lot to stop the phishers.
Re:if it's done well, and some are (Score:3, Insightful)
Agreed. But wouldn't the ISP of the innocent user have some kind of record of where the fraud messages are being sent?
Earthlink (or whatever the ISP was) was able to tell the DC Police the exact locations that Chandra Levy pulled up on Mapqu
Re:if it's done well, and some are (Score:3, Insightful)
No matter how many people you smack with a clue-by-four there are always more who need smacking. Unless over 99% of people start securing their machines we'll still get phishing - your argument is akin to "if we lock up burglars then noone will get burgled"... read the newspaper to see how well that one worked out.
and seizing the machine might actually provide clues to the real phisher.
It seems fairly unlikely - the machine will have be
Re:if it's done well, and some are (Score:3, Insightful)
Yes, they'll turn up, ask some questions and then leave you alone - you're not gonna get thrown in jail, even if you left your car unlocked with the keys in the ignition (although the insurance company ain't gonna pay out).
In the same way if your machine is used for a phishing scam expect to have your account terminated with prejudice, until you prove that you weren't involved.
You clearly ha
Re:if it's done well, and some are (Score:2)
It's not a question necessarily of whether there's a law against it. If a United States law enforcement agency called up Bulgaria and said "Hey, there's a guy running a phishing expedition from your country, send the cops out to their house!", what are they chances they'd do anything? In the whole scheme of things, they've got much larger fish to fry than someone duping Americans into giving away their credit ca
Re:if it's done well, and some are (Score:2)
When the banks and large corporations start hurting and eating more and more of this fraudlent activity, I have feeling it will be bumped up a notch or two on the priority scale.
The only reason it has not reached this level already is because many of the attempts to date have been very inept and amatuer.
As they get better and more sophisticated, success rates will
Re:if it's done well, and some are (Score:2)
It seems that even if I got duped into believing that some email written in broken English was from my bank, and even if I went ahead and logged in to the phony site, once I got there I'd see that it wasn't really my bank's site. At that point I cou
Re:if it's done well, and some are (Score:5, Interesting)
I have clicked on several obvious phish emailed specifically to see what happened.
I would usually enter completely bogus information into it like:
Usernname: Bunghole
Password: eatmenowyoubuttmuch
It would take me to a plain page that simply said "Thank you for verifying your information!" or somethign similar and generic.
Every now and then it would redirect me to the real site.
I've never actually gotten into anything that looked like an account site. Once you provide the username/password, they are done with you and the phish ends there.
Sometimes it is fun to play around with the phishing scams. If everone who knew what they were clicked on them, and provided useless and inaccurate info, Phishing scams would become so overhwhwlmed with usueless information that they just might have to come up with another idea.
Do your part! Screw with a scammer.
Re:if it's done well, and some are (Score:2, Informative)
This may seem obvious, but I wouldn't play this kind of game with IE. Or from Windows at all, for that matter.
Re:if it's done well, and some are (Score:2)
Firefox. Java off. TOR Plugin Enabled.
I always use this configuration when going to a site that I think is of questionable repute.
It's slow, but it works.
And to the following post, I don't think it would breed more phishers. You can only pound a banking site with bad usernames/passwords from the same subnet without someone noticing (I hope). The more junk they receive from knowledgable u
Re:if it's done well, and some are (Score:3, Informative)
I'd imagine they are doing this with Firefox vulnerabilities as well.
Re:if it's done well, and some are (Score:3)
Every now and then it would redirect me to the real site.
I got a Paypal phish like that. They were doing a man in the middle attack. I don't have a Pay Pal account, so I knew it was bogus. The real Paypal site rejected my login. I didn't think to check the IP addresses at that time to see if I still was on a man in the middle link. If I was, they could have automaticaly dumped
Legit sites that don't look it. (Score:3, Insightful)
unfortunately, there are problems with that as well - there are some legit sites that will redirect you off of their main domain, sometimes even to an IP address. Insane? Yes. But it happens. So for people who actually DO know what the hell they're doing, the problem isn't phishes that look like real sites, it's real sites that look like phishes.
Re:if it's done well, and some are (Score:2)
Re:if it's done well, and some are (Score:5, Informative)
One thing you didn't mention that might even get some slashdotters is that the "@" symbol in a URL is used by most browsers in a way (for authentication) that makes it possible to also spoof domains in a phish link. Try going typing this address (into your URL bar and you'll see what I mean:
http://www.ebay.com@64.236.24.12
Firefox presents a warning in this case because you're being redirected to a site that doesn't require authentication (CNN.com) yet you've provided authentication information. If the destination site (i.e. phish destination) had been crafted to require authentication and accept "www.ebay.com" as valid data, you'd get no warning.
Some of these URLs+site combinations had *very* well-crafted URLs using tricks like this that would almost certainly fool most users who had been told "don't click on a link unless it says it's going to 'ebay.com' in the status bar."
Re:if it's done well, and some are (Score:5, Informative)
That's why this is flawed advice, and it's why I don't give it. Instead, I tell people that they should NEVER click the link, even if it looks genuine. Instead, they should open their browser, type in the address or click their bookmark, and log in to their account.
This will prove most scams immediately (e.g. if you can log in, then your account has obviously NOT been suspended
Basically, the rule is the same as for unsolicited phone calls: always be the one to initiate the communication. If you phone your bank using the number on your statement, then you've got through to the right place. If you type the URL on your statement into the address bar, you've got to the right place. If you let somebody else initiate the communication, either by phoning you, sending email, fax, or whatever, and you trust them not to lie, then you're as good as caught already.
Re:if it's done well, and some are (Score:3)
If someone claiming to be from your bank phones you then you ask them security questions, not the other way around.
Re:if it's done well, and some are (Score:5, Informative)
The best one yet is where the target link went to a website, and through some javascript, put an image over the URL bar! The image had the right URL in it, and if you moved the window around, the image moved too (though, because it was javascript, the image movement lagged a bit, so depending on how fast you moved the window, you could see the real URL, then the image jumped over it). The reason I spotted it? the image was off by several pixels either way - I thought the text was a few pixels too low in the addressbar (and it was too far left - it went over the icon left of the URL bar). (This was in IE. In Mozilla/Firefox, when I could get it to work, the image was in the completely wrong place). That was probably 1 in 1000, though.
The other smart ones actually do verify the information you give them, too. I suppose for those, signing up with false eBay accounts and using that is good. (Good way to get rid of negative feedback accounts).
The less-good ones had an image that was clickable. Discovered only because text that isn't normally clickable is.
The vast majority are very poorly crafted emails, though. Spelling errors, sending more than one to the same email address (If you receive 3 or 4 Paypal or eBay phishes, it kinda gives the whole game away). And they don't hide the URL at all - just plain old non-redirector links. Phishing has reached the realm of the idiots.
Luckily, eBay and Paypal have several characteristics I've noticed in their legit emails:
1) If you use a separate email account for eBay and Paypal from your regular email, well, that is clue #1 if you receive an eBay or Paypal email in an account that isn't what you use for eBay and Paypal.
2) eBay emails will *always* include your eBay username in the email, not the email address. Paypal emails will include your real name as registered. This detail is almost always impossible to get directly unless you've conducted business with the target through eBay or Paypal.
3) eBay and Paypal use specific From addresses - all eBay item questions do *not* come from aw-confirm (that's only used by the bid confirmation system).
4) For eBay specifically, if you get a phish for an item, the item description is always included, while phishes just give you the item number (because the item description will tell you "fake" immediately). In addition, all eBay messages appear in the "My eBay" message section. If unsure, log in to eBay and check there.
Re:if it's done well, and some are (Score:4, Interesting)
www.ebay.com is not the same company as www.ebay.com.checkyouraccount.ru because they have to read the address backward and seriously
www.ebay.com.checkyouraccount.ru/~level1/level2/c
becomes really insane !
The problem is that after you ( painfully ) trained them, you notice that a lot of websites use insane url like that and yet perfectly valid one !
Example: Hotmail login
http://login.live.com/login.srf [live.com]?...
after several loop through passport.com,
and I also have to train my parents to use whois ???
And don't forget that I had first to explain what is a 'OS', 'program' and finally what a 'browser' is.
To result of all the lessons is that my father turned into an Internet paranoid. He is convinced his machine crawled under spywares and that every single website is a phishing attempt.
And now, when he needs to access his bank account, I need to connect myself from my machine and tell him the result over the phone. The same when he need to buy something. He never uses his machine for anything remotly personal.
That's real sad.
Re:if it's done well, and some are (Score:2)
Once, my girlfriend was sitting in front of her computer, fiddling with a bank statement, because she received an email from "our bank", stating that she should go to their online banking service. Allegedly, she should check a payment. To do so, she had to enter the account number and the PIN.
Fortunately, I saw her and could prevent her to click the submit button. I told her, that there is no bank in the world, asking customers to go online and enter those data. She'll never do that again.
Sinc
Re:if it's done well, and some are (Score:5, Funny)
*BSD 4 lyfe![/i]
Sounds like BSD doesn't help much in that department either.
There's One rule I always Follow. (Score:2)
(Actually, it also helps when 90% of your mails are in spanish
Re:There's One rule I always Follow. (Score:2)
(b) Do you have a trustworthy white list? I doubt it.
Re:There's One rule I always Follow. (Score:5, Insightful)
I conduct almost all of my business online and I don't think this is necessary.
I am never, ever asked for a password or identifying information via email. At least never by the legitimate company.
And I never click a link in an email. If my bank/company wants me to update my information, I type their website URL by hand into Firefox, log into my account section, and do what I need to do.
It basically comes down to this: Don't click links in email.
This one basic rule really does solve 99.999% of all scam problems, while allowing you to conduct business online safely.
Comment removed (Score:4, Funny)
Re:There's One rule I always Follow. (Score:2)
Because... (Score:4, Insightful)
Most users just don't know better, despite best efforts to educate them otherwise, or make the scams obviously fradulent. Ever seen that 'MSN will never ask you for your password!' type banner on things? Know how many people retain it? Very few.
Au contraire... (Score:2, Funny)
Re:Because... (Score:2)
A little off (Score:5, Insightful)
The same goes for the US Airways thing. Yeah, it's an example of "not spam", but if you haven't recently bought a US Airways ticket, then the save bet would be that it is.
Oh... and the nun joke is fucking hilarious. That alone made TFA worth reading.
Re:A little off (Score:2, Insightful)
Re:A little off (Score:2)
spam is not the same as phishing! (Score:5, Insightful)
Most would say it's unsolicited commercial junk mail, but he seems to think it means "phony" email. Apparently he doesn't mind receiving weekly airfare specials containing choice bits like "BID FOR TICKETS TO THE BIG GAME IN THE BIG EASY!"
Also re phishing: I'd say paypal is largely at fault for this. They do (did?) send an awful lot of useless mail full of clickable links - they were just begging to get phished because people were so used to receiving authentic but useless clickable mail from them. None of my other banks have done this (although one sends a fair amount of crap not specific to my account - rates and such).
Re:spam is not the same as phishing! (Score:3, Informative)
For more details on issues arising in labelling the corpus, see Spam Corpus Creation for TREC [www.ceas.cc] or The TREC 2005 Spam Track Overview [uwaterloo.ca]. And if you have a spam filter, sign up for TREC 2006!
What's wrong with false positives for phishing? (Score:5, Insightful)
For example, I got one this morning talking about my home loan account with a large bank I don't have an account with. I know it's a phishing scam just from the From and Subject lines. However, if my own bank sent an email talking about my actual mortgage, I'd treat it in exactly the same way. There's no benefit to giving an email the benefit of the doubt. If there is something my bank needs from me, they can send a letter and I'll go to my local branch to take care of it in person.
The Power Of Attrition (Score:5, Insightful)
Let's say I handed you an entire crate of auto parts, and told you that some of them may be genuine parts, while others might be knockoffs. I give you a whole binder, filled with instructions on how to differentiate between all the different "good" and "bad" parts. Some of these knockoffs are obvious fakes; others are quite cleverly done, requiring you to check for minute details such as whether or not inner surfaces are well-polished, or subtle discrepancies in serial number schemes and product logos.
At what point do you just start winging it? After one day of studious sifting? After a week? A month? When you see a part that you're pretty sure is genuine, but would need to haul out the manual for ten minutes' worth of cross-checking part and serial number ranges to confirm this--at what point do you simply go with your gut?
When somebody who knows what they're doing goes about trying to hoodwink your typical individual, it can be very hard for the individual to know when they're being hoodwinked, even if they know they might be being hoodwinked. It's part of human nature--there's a point at which you just throw your hands in the air and grant your trust to an unknown entity, because it's too tedious or time-consuming to check everything out. Given the average person--heck, even a person who knows a fair amount about the subject--there'll be a point where they just take the damn part and have it installed in their car, because they just want to be done with it and get on with their life. It's the same thing with phishing--unless you're one of those few individuals who has fairly advanced knowledge on the subject, you're eventually going to give up and make a gut-reaction decision to whether or not you "trust" the email you just got, simply because it's more trouble than it's worth to actually dig through it.
Re: (Score:2)
Re:The Power Of Attrition (Score:2)
Re:The Power Of Attrition (Score:2)
Here is another analogy:
Take a clear glass, and fill it with tap water.
Now tell me which water molecules have pollutants and which don't.
Oh okay, I will bite. (Score:2, Informative)
If one comes with the logo of your car brand and the other comes in a plastic bag with chinese instructions. Easy choice.
I only know a bit about mopeds (50cc limited bikes) because there as a huge industry for cheap parts but they really sucked donkey balls. Very poor quality and it showed.
Easily.
Perhaps alternators are different but I can tell the difference between a shoddy muffler and a good one in a secon
Re:Oh okay, I will bite. (Score:5, Insightful)
EVERY serious site has a disclaimer stating they will NOT ask you for your details by email. EVERY scam involves them sending an email asking for your details.
In the early days, yes. Now, many phishers have wised up. They'll send you a phish that, save for one or two links, looks absolutely legitimate. You click the link, it sends you to a page at ebay.verification-department.com that mimics an actual eBay login page. You'll "log in", then they'll welcome you and very professionally gather your information--all, of course, after you've "logged in" to their system.
You can't cheat a honest man
Oh, you most certainly can. Just 'cause something rolls off the tongue nicely doesn't mean it's true.
and you can't phis a person who thinks.
Again, we're talking about attrition and trust. Unless you have a quite solid understanding of what phishing is, how to identify it, and how to go about avoiding it, you're going to eventually just trust something that looks legitimate enough. It's simply not feasible to expect that every single user of email will have enough technical know-how to identify and avoid getting phished.
You've got telephone slamming, you've got phishing, you've got insurance fraud, you've got pyramid schemes, you've got con artists--if we were all simply smart enough to know a rat when we saw one, none of these would be a problem. The problem is that many, many people have ductile minds and want to trust other people. If you're somebody who is willing to cheat another person out of their money, odds are that you'll eventually nail somebody. It's attrition, plain and simple--eventually, people simply let their guard down, even if only for a moment.
Re:Oh okay, I will bite. (Score:2)
Unfortunately, #2 ("plastic bag with Chinese instructions") describes many of the "real" computer parts I've bought...
I agree with you in part; anybody who decides that the "BUY H3rb@| V1@gRa N0W!!!!!!!!" email is worth checking out is probably a lost cause. But a lot of people don't know how to tell what's real and what's not on the Internet, because it's not as simple as PBwCI. Some
Re:The Power Of Attrition (Score:3, Insightful)
Does this sound a bit absurd because car manufacturers don't actually mail parts directly customers during a recall? Agreed. And my bank doesn't email me when there's a problem with my account. "Do not click any links in emails that sol
Re:The Power Of Attrition (Score:2)
Kn
Re:The Power Of Attrition (Score:2)
My last two rate change emails from DirecTV did not have the rate changes in the mail, nor was the info accessible if you went to DirectTV and logged into your account. Instead, it had a link that led to a *third-party* site.
SallieMae communicates about my student loan by emailing PDFs that you are supposed to put your password into to unlock. Unbelievable.
People suck, period. (Score:3, Funny)
Just a Joke (Score:2)
Lucky for them I have a training course on how to prevent this. Anyone interested please send me your name, phone number, mailing address and credit card number and I will get you signed up RIGHT AWAY!!!
Remember, you never spend enough to protect yourself!!!
For the humor impaired, this was a joke...
*Groan* (Score:3, Insightful)
If you don't believe me, go to the web site, and try classifying some emails... You'll see what I mean...
Where are emails from? (Score:2)
Making money by hook or crook... (Score:2)
Well..... (Score:3, Informative)
They of course, didn't know anything about it, I checked the link and realized it was false. That was just long term ingrained habit that puleld me out of that one, because it was an excellent phish. But how do you teach those habits of suspicion to a layman?
It's just a security issue. I deal with passwords all day every day, and people are awful with their password security. It just doesn't make any sense to them, and they all think that the consequences for this or that little security breach are harmless, and so when something like this comes along, they fall for it, hook, line, and sinker.
its all a scam (Score:3, Insightful)
How many times do I have to say it? (Score:2)
Duuuuuuuuuuuhhhhhhhhhhhhhhhhhhhhhhhhh!!
Look, your average Joe is not sophisticated; they're not going to know to look at the links in a phishing email and note they don't point to their bank's valid web address nor be able to do a DNS lookup to figure out that Joe Whathisface is not the owner of the bank's valid domain name. They don't care about this. It's the same thing that happens when people get those fake sweepstakes things in the mail saying they're won something and, oh by the way, could you sed
Re:How many times do I have to say it? (Score:2)
If you chop off a duck's feet and surgically attach sparrow feet, it will no longer walk like a duck.
But yeah, duuuuuh. People are gullible, what else is new?
Re:How many times do I have to say it? (Score:3, Insightful)
The weight of getting the word out about these things to the average user is going to need to lay on someone, probably ISPs. It should be one of their responsibilities to attempt to keep their users safe. We can educate people about some of the basics, watching out for links that are just IPs and etc (and thunderbird already has some features regarding this), but some of the higher level checks need to be done automatically by software.
But no matter how sophisticated filtering technology gets, the numer
It's quite simple... (Score:5, Funny)
Re:It's quite simple... (Score:2)
Mail programs need better IP filters (Score:4, Interesting)
If any header lies, e.g. IP address mismatches with domain name, or two successive Received-by headers don't have consistent information, then RED ALERT.
If the From domain doesn't appear in top-most received line, YELLOW ALERT. If it doesn't appear in any line, RED ALERT.
If the top-most received line's address is from a known spamming domain or open relay, RED ALERT.
If any previous mail-server, such as your ISP's, tagged the message with YELLOW or RED alerts, your alert should be at least this high.
Note that red and yellow alerts don't necessarily indicate spam. They are simply one of many indicators of spam, and should be used as input to the spam/ham decision-making process.
IE 7 helps with this (Score:2)
Re:Mail programs need better IP filters (Score:2)
You just reinvented something many sever side spam filters already do.
No HTML mail (Score:5, Insightful)
Re:No HTML mail (Score:2)
SpamOrHam.org displays the raw message below the image. Just scroll down a bit.
Re:No HTML mail (Score:2, Insightful)
The right spam at the right time can catch you out (Score:2)
Then one day, I bought something off ebay, and used paypal. About 4 minutes later, I got the ping of something arriving in my mail box. It was from paypal. It said my credit card payment had been refused. I realised I might have changed credit cards since I last used paypal, so off I went to log in and check my details were up to date.
I got ab
In other news -- this is our fault! (Score:3, Insightful)
Jokes about statistics aside, people falling for phishing is our fault. Our fault as in our industry's fault.
We've spent so long training our parents, help-desk clients, and other tech-stupid creatures that the way to respond to mysterious dialog boxes is to "Just click OK!" that at this stage the damage is essentially permanent.
Their natural instinct was to treat computers with suspicion, and we beat it out of them.
Yay for us.
Re:In other news -- this is our fault! (Score:2)
PHB Interview (Score:3, Funny)
Another couple of candidates and he would get through his inbox.
There's an intense feeling of Deja-Vu here.
which means next to nothing (Score:2)
Training or brain difference? (Score:2)
I would suggest it's mostly training, or a lack thereof, that leads people to thinking they have to validate their account. If they knew to check the URL, and beyond that knew their bank isn't going to email them, then this would hardly be a problem except for the most "simple" users who happen to be "simple" people too.
Google Mail Excels at spotting Phishing (Score:2)
The Phishes they catch are faily subtle, they are burying their evil link in HMTL which renders OK, and only the phony grammar of the message gives it away:
"Once you have updated your account records, your
PayPal=AE session will not be interrupted and will continue as normal. Go to the link below.
h [paypal.com]
Re:Google Mail Excels at spotting Phishing (Score:2)
<a target=3D"_blank" onfiltered=3D"window.status=3D'https://www.pay=
http://www.paypal.com/cgi-bin/webscr?cmd=3D_login
I beg to differ (Score:2)
Without knowing the context of some of the messages, some of the messages labelled legitimate can easily be spam.
They read every bit like other messages which are spam. Remember, spam is:
Unsolicited Bulk Email.
Reading those messages without knowing the user's history with the senders, they may or may not be legitimate.
Many have softened and gone with the FTC's definition where it must be business-oriented, but as far as many in the anti in the community can be, it can be political[1], religious,
Haiku (Score:2)
In a trice without warning the face of nature
grew sullen Black angry mouths, the clouds
swallowed up the sun The air was dense with
suppressed excit
Trial Copy? (Score:2, Informative)
Looks like a "feature" of some screenshot capture shareware.
Nevertheless, I think (having in mind the topic of TFA) this doesn't add them much credibility.
Re: (Score:2)
Funny feeling (Score:5, Informative)
I have a simple ruleset (Score:3, Insightful)
Rule 2: If it seems legit, then go to your browser and manually go to the institution's website and log in normally, do not use hotlinks provided in any email.
My rule 1 used to be just "it's not legit" - none of my financial institutions EVER contacted me via email up until about 6 months ago. Now they do, so I've modified it a bit.
You'd think people would get a BIT of a clue from the fact that, like me, they must be getting very valid-looking emails from places that they don't even have accounts with. You'd think that would tell them something.
Re:I have a simple ruleset (Score:3, Informative)
Rule #3: Turn of HTML in your email so that your links are text and you can see what they are.
People are nieve and "probably" 80% of the people out there do not understand the internet. The rest of us do. Just look at the politicians that make laws to "govern" the internet. They don't understand what the hell they are doing.
That Travelocity email... the hell it's "not spam" (Score:3, Insightful)
I beg to differ. I have no problem believing that it "really is a genuine message from Travelocity."
But spam doesn't mean "phony," it means "unsolicited commercial email." (And in my own opinion that includes "unknowingly 'solicited' commercial email.")
In order for Graham-Cumming or anyone else to say that Travelocity email is not spam, they would need to know whether it was solicited. You can't tell by any examination of the message itself.
If it was actively solicited by someone specifically checking a box requesting to be notified of offers, then, sure, it's not spam. If it was opt-out spam with the opt-out option hidden... or implicit... then it darn well is spam.
Mostly likely this particular email is in a grey area... quite likely an opt-out was plainly visible, but needed to be actively chosen, at some point in the travel booking process where a customers thoughts are likely to be elsewhere (where IS that security code on the back of my credit card?).
But it is absolutely wrong to stay that the Travelocity message is "not spam," just because it is really from Travelocity
Spam is spam, even if it is a genuine email from a reliable company informing me of some truly valuable opportunity... _if I didn't ask the company to send me those emails._
Inaccurate Story Title (Score:3, Funny)
As J.R. 'Bob' Dobbs put it.. (Score:3, Insightful)